CVE-2003-1307

Apache mod_php - Local Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2003-1307. PoCs published by frauk\x41ser, Steve Grubb.

AI-analyzed exploit summary This PoC demonstrates a local file descriptor manipulation vulnerability in Apache's mod_php, allowing an attacker to overwrite the access_log by repositioning and writing arbitrary content to file descriptor 7. The exploit leverages fcntl and lseek to modify the file descriptor's behavior.

Description

The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port. NOTE: the PHP developer has disputed this vulnerability, saying "The opened file descriptors are opened by Apache. It is the job of Apache to protect them ... Not a bug in PHP.

Exploits (2)

exploitdb WORKING POC VERIFIED
by frauk\x41ser · clocallinux
https://www.exploit-db.com/exploits/23482

This PoC demonstrates a local file descriptor manipulation vulnerability in Apache's mod_php, allowing an attacker to overwrite the access_log by repositioning and writing arbitrary content to file descriptor 7. The exploit leverages fcntl and lseek to modify the file descriptor's behavior.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Apache mod_php (version not specified)
No auth needed
Prerequisites: Local access to the system · Ability to execute arbitrary code via PHP
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Steve Grubb · clocallinux
https://www.exploit-db.com/exploits/23481

This exploit leverages a local privilege escalation vulnerability in Apache mod_php (CVE-2003-1307) by hijacking a privileged file descriptor (fd 4) to impersonate the legitimate server. It forks to avoid termination by Apache, initializes an SSL server, and serves malicious content to clients.

Classification
Working Poc 90%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Apache HTTP Server with mod_php (versions affected by CVE-2003-1307)
No auth needed
Prerequisites: Local access to the vulnerable system · Apache with mod_php running · Privileged file descriptor (fd 4) accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/449234/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/449298/100/0/threaded
Exploit x_refsource_misc
http://bugs.php.net/38915
Exploit, Vendor Advisory mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/348368
Exploit x_refsource_misc
http://hackerdom.ru/~dimmo/phpexpl.c
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/9302

Scores

EPSS 0.0160
EPSS Percentile 72.7%

Details

Status published
Products (19)
apache/http_server 2.0
apache/http_server 2.0.9
apache/http_server 2.0.28 (3 CPE variants)
apache/http_server 2.0.32 (2 CPE variants)
apache/http_server 2.0.34 beta
apache/http_server 2.0.35
apache/http_server 2.0.36
apache/http_server 2.0.37
apache/http_server 2.0.38
apache/http_server 2.0.39
... and 9 more
Published Dec 31, 2003
Tracked Since Feb 18, 2026